https://community.splunk.com/t5/Splunk-Search/How-to-combine-multiple-search/m-p/589909#M205390 <P>Thank you very much&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/6367">@bowesmana</a>&nbsp;for timely help.&nbsp; Sure, will make the index name as explicit instead of using *.</P><P>Thanks again.</P> Mon, 21 Mar 2022 01:56:03 GMT msg4sunil 2022-03-21T01:56:03Z https://community.splunk.com/t5/Splunk-Search/How-to-combine-multiple-search/m-p/589901#M205385 <P>How do combine the below 2 searches into one?</P> <P>1. <EM>* orderid|stats count by id</EM></P> <P>returns something like&nbsp;</P> <P>2022-03-21T00:10:16,999Z ...INFO [thread_id=12349, <STRONG>id</STRONG>=<FONT color="#339966">VU53ZQCTTMLPG</FONT>, .....<BR />2022-03-21T00:10:16,995Z....INFO [thread_id=549, <STRONG>id</STRONG>=<FONT color="#339966">F2PAC6ITNX6O3</FONT>,</P> <P>2. Based on the above response, I need to query as below after fetching the "<STRONG>id</STRONG>".&nbsp; Note, "id's would vary for different orderid and the number of "id"'s would also vary&nbsp;</P> <P><EM>id IN ("<FONT color="#339966">VU53ZQCTTMLPG</FONT>","<FONT color="#339966">F2PAC6ITNX6O3</FONT>")</EM></P> <P>&nbsp;</P> <P>Thank you</P> Mon, 21 Mar 2022 17:39:48 GMT https://community.splunk.com/t5/Splunk-Search/How-to-combine-multiple-search/m-p/589901#M205385 msg4sunil 2022-03-21T17:39:48Z https://community.splunk.com/t5/Splunk-Search/How-to-combine-multiple-search/m-p/589902#M205386 <P>There are a number of ways to do this, with subsearches, joins or aggregations, but it's not easy to give you an absolute solution.</P><P>The most obvious example from your description is the subsearch, which would be something like</P><LI-CODE lang="markup">Your second search [ search your first search | stats count by id | fields id ]</LI-CODE><P>which would pass the list of ids in the subsearch to the outer search which is effectively doing&nbsp;</P><P>(id1 OR id=2 OR id=3..)</P><P>as part of the outer search</P><P>You can use other techniques, such as searching for all the data in a single search and then manipulating it with eval/stats to get to your desired output, but need more info on that.</P><P>join command is an option, but should rarely be the first choice, as 'join' has limitations and is not really the way to do this sort of task in Splunk world</P><P>&nbsp;</P> Mon, 21 Mar 2022 00:55:53 GMT https://community.splunk.com/t5/Splunk-Search/How-to-combine-multiple-search/m-p/589902#M205386 bowesmana 2022-03-21T00:55:53Z https://community.splunk.com/t5/Splunk-Search/How-to-combine-multiple-search/m-p/589907#M205388 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/6367">@bowesmana</a>&nbsp;, can you please give one example?&nbsp; The below doesnt work.</P><P>index=* id IN [index=* "985be6370637"| fields id]</P> Mon, 21 Mar 2022 01:20:58 GMT https://community.splunk.com/t5/Splunk-Search/How-to-combine-multiple-search/m-p/589907#M205388 msg4sunil 2022-03-21T01:20:58Z https://community.splunk.com/t5/Splunk-Search/How-to-combine-multiple-search/m-p/589908#M205389 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/244042">@msg4sunil</a>&nbsp;</P><LI-CODE lang="markup">index=* [ search index=* "985be6370637" | stats count by id | fields id ]</LI-CODE><P>It is not good practice to use index=* - admins do not like users who cast a wide search net - always be as specific as possible when making your search - particularly in this case, you are making two searches.</P><P>&nbsp;</P> Mon, 21 Mar 2022 01:32:46 GMT https://community.splunk.com/t5/Splunk-Search/How-to-combine-multiple-search/m-p/589908#M205389 bowesmana 2022-03-21T01:32:46Z https://community.splunk.com/t5/Splunk-Search/How-to-combine-multiple-search/m-p/589909#M205390 <P>Thank you very much&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/6367">@bowesmana</a>&nbsp;for timely help.&nbsp; Sure, will make the index name as explicit instead of using *.</P><P>Thanks again.</P> Mon, 21 Mar 2022 01:56:03 GMT https://community.splunk.com/t5/Splunk-Search/How-to-combine-multiple-search/m-p/589909#M205390 msg4sunil 2022-03-21T01:56:03Z